January 2025 Patch Tuesday forecast: Changes coming in cybersecurity guidance

Welcome to 2025 and a new year of patch excitement! In my December article, I talked about Microsoft’s Secure Future Initiative (SFI) and how it manifested in many of the Microsoft products released in 2024. While this security technology trend will continue in 2025, I believe we will also see some major changes to guidance regarding the security requirements, operations, and other aspects associated with our industry.

January 2025 Patch Tuesday forecast

Before we get into some of those details, let’s quickly recap December 2024 Patch Tuesday.

Microsoft set of updates

Microsoft released a small set of updates that only applied to Windows 10, Windows 11, Office, and Sharepoint. There were no standalone SSU updates and only a single development tool update for the relatively obscure Microsoft/Muzic. The Microsoft Windows updates addressed 58 CVEs in the workstation and associated server operating systems.

Only CVE-2024-49138 was both publicly disclosed and known to have been exploited. You have probably noticed that Microsoft often limits the amount of information it includes with its CVE disclosures, such as in the case of this CVE: “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”

While this may be the only CVE that has been actively exploited, there are concerns about several others, including CVE-2024-49113 and CVE-2024-49112, which can be chained and used in domain controllers also quickly to crash other Windows servers. The article contains a high-level explanation and a link to the detailed SafeBreach investigation into these vulnerabilities. The good news is they proved the effectiveness of Microsoft’s December update, so ensure you are up-to-date on applying these patches.

.NET Installers

Microsoft sent out a critical announcement to developers with a call to action to check the source of your .NET Installers. Per Microsoft, Edg,io will soon cease operations due to bankruptcy. “It is possible that azureedge.net domains will have downtime soon. We expect these domains to be permanently retired in the first few months of 2025.” Microsoft provides the changes they’ve made and recommended response activities as the call to action.

Important events

Two events of note foreshadow the start of upcoming changes in cybersecurity guidance I previously mentioned. The first event is a set of proposed amendments to the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was introduced when personal medical records were being ‘digitized’ and focused on ensuring patient privacy and not the security of the systems managing the documents.

The proposed changes will significantly impact the healthcare industry and bring security requirements more in line with traditional security frameworks. The second event is the incoming Trump 2.0 administration and its impact on CISA and other federal organizations. President Trump signed the legislation that created CISA in 2018. The new organization’s purpose was to provide guidance on defending the US infrastructure against cyberattacks and to work with the commercial industry to improve cyber defense.

With the incoming administration’s stated desire to remove regulations so private industry can move faster, we may see some changes in the type of guidance CISA will provide. Also, with a stated desire for the US to be a leader in AI technology, we may see CISA become more involved in that aspect of AI-based security. Time will tell how this evolves. These are just two recent events that will result in new guidance and likely impact the way we conduct security operations, but there are sure more changes to come in 2025.